From 87bf394ab23281caf6518eb418c19b6d1df21939 Mon Sep 17 00:00:00 2001 From: Girish Ramakrishnan Date: Sun, 2 Apr 2023 20:22:48 +0200 Subject: [PATCH] Update nginx config Note the STS headers are sent even if we comment it out in nginx because it apparently comes from rails 6.1 - https://github.com/mastodon/mastodon/issues/17083 --- nginx/mastodon.conf | 121 ++++++++++++++++++++++++++++++-------------- 1 file changed, 84 insertions(+), 37 deletions(-) diff --git a/nginx/mastodon.conf b/nginx/mastodon.conf index 357f0dc..2b33377 100644 --- a/nginx/mastodon.conf +++ b/nginx/mastodon.conf @@ -1,8 +1,18 @@ +# derived from https://github.com/mastodon/mastodon/blob/main/dist/nginx.conf + map $http_upgrade $connection_upgrade { default upgrade; '' close; } +upstream backend { + server 127.0.0.1:3000 fail_timeout=0; +} + +upstream streaming { + server 127.0.0.1:4000 fail_timeout=0; +} + proxy_cache_path /run/nginx/cache levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { @@ -11,7 +21,7 @@ server { keepalive_timeout 70; sendfile on; - client_max_body_size 80m; + client_max_body_size 99m; root /app/code/public; @@ -22,40 +32,94 @@ server { gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - add_header Strict-Transport-Security "max-age=31536000"; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; location / { try_files $uri @proxy; } - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - add_header Strict-Transport-Security "max-age=31536000"; - try_files $uri @proxy; + location = /sw.js { + add_header Cache-Control "public, max-age=604800, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; } - location /sw.js { - add_header Cache-Control "public, max-age=0"; - add_header Strict-Transport-Security "max-age=31536000"; - try_files $uri @proxy; + location ~ ^/assets/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/avatars/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/emoji/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/headers/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/packs/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/shortcuts/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/sounds/ { + add_header Cache-Control "public, max-age=2419200, must-revalidate"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ~ ^/system/ { + add_header Cache-Control "public, max-age=2419200, immutable"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + try_files $uri =404; + } + + location ^~ /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $http_x_real_ip; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://streaming; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + + tcp_nodelay on; } location @proxy { - # forwarding cloudron's nginx proxy-proto headers proxy_set_header Host $host; proxy_set_header X-Real-IP $http_x_real_ip; proxy_set_header X-Forwarded-For $http_x_forwarded_for,$remote_addr; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - proxy_set_header X-Forwarded-Host $http_x_forwarded_host; - proxy_set_header X-Forwarded-Port $http_x_forwarded_port; - proxy_set_header X-Forwarded-Server $http_x_forwarded_server; - proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://127.0.0.1:3000; + proxy_pass http://backend; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -64,29 +128,12 @@ server { proxy_cache CACHE; proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; add_header X-Cached $upstream_cache_status; - add_header Strict-Transport-Security "max-age=31536000"; tcp_nodelay on; } - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - - proxy_pass http://127.0.0.1:4000; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - error_page 500 501 502 503 504 /500.html; + error_page 404 500 501 502 503 504 /500.html; }